Posted
In modern enterprises, signature based threat detection capabilities are still considered a fundamental building block in most network defense strategies. To stay ahead of today’s sophisticated threats, you have to keep your signatures contextually relevant and up-to-date.
Unfortunately, this is particularly challenging when the signature management tasks fall on the shoulders of a single individual, or conversely, if there is a large distributed team responsible for writing, testing, and deploying signatures. If you are like most organizations, you have a bunch of signatures from a variety of places and they are rarely organized or associated with where they were obtained and why they were deployed.
Managing signatures (host or network based) just became easier with ThreatConnect. Now, you can manage and add context to your signatures through associations to specific incidents and threat indicators. You can also share and collaborate around your signatures privately within your team or publicly within in a community. ThreatConnect now supports many popular signature formats such as Snort, YARA, CybOX, OpenIOC, ClamAV, Suricata, and Bro signature.
Signatures are no longer flat with no-context when associated to Indicators, Incidents, and Threats. When coupled with the ability to add attributes, tags, and comments, they become part of your Threat Intelligence process and threat repository. Now when a signature hits, you can know at a glance what it means to your network, streamline incident response, and make your network monitoring team more efficient and smarter.
Below is a quick overview of the ThreatConnect Signatures feature highlighting how you can start using it today.
Signature Creation:
Once logged into ThreatConnect, upload signature files from the Upload Button to start importing a signature.
From here, designate an owner of the signature file you are about upload, select the type of signatures, and click Import.
During the import process, you will have a chance to name your file, provide a description, and add a source. You will also have the ability to add any associations to Indicators, Threats, or specific Incidents to the signature.
High Context Signature Management:
Once imported, you are presented with a new Signature Details Page.
On the Signature Details Page, you can add or view tags, add or view commentary from other users, take a look at the actual content of the signature file, or even import a new signature file to correct or update the existing file.
You can also use the attributes in ThreatConnect to track your workflow with the signature, making note of deployment status, likelihood for false positives, and providing relevant hex-dumps of traffic samples or strings from binary files.
Click the Follow Signature box to receive immediate or summarized email updates about the signature as others make updates or comments. Of course, you can also follow what others have shared with you as well to receive notifications as their signatures are updated.
You can view all of your signatures and signatures shared by others on the Browse Screen.
Selecting the Signatures Icon will show you a filterable list including each signature’s name, type, community or account to which it belongs, and the date it was added. Select a signature in the list to quickly view a summary of details or to download the signature.
Signature Collaboration:
Not only can you manage your own signatures in ThreatConnect, but also if you choose you can share them with others for collaboration through a connection to another account or more broadly to a community.
As with everything else in ThreatConnect, you control what you share and with whom you share. Sharing is accomplished from the Signature’s Sharing Tab. There you can see a log of whom you have shared with and when.
Once shared, others can add their own insight through comments and additional associations, tags, and attributes. They can even upload their own versions of the signature.
With access to an active and growing number of communities, ThreatConnect allows your team to collect and share their intelligence by focusing on collaboratively tracking advanced threats and the signatures they are sharing. If indicator and signature management is a challenge for your organization and you’re looking for a way to aid your IR and monitoring teams to act faster and more intelligently, then check out ThreatConnect.com and see how we can enable your hunt.
As always, happy hunting!